Mirrors/CTF-Writeups
2
0
Fork 0
mirror of https://github.com/AbdullahRizwan101/CTF-Writeups synced 2024-09-20 06:11:56 +00:00
Code Issues Projects Releases Packages Wiki Activity

Add files via upload

Browse source
This commit is contained in:
AbdullahRizwan101 2021-01-02 22:20:46 +05:00 committed by GitHub
parent 533da64cc5
commit ece90a9267
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
1 changed files with 365 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

365
VulnHub/Stapler.md Normal file
View file

@ -0,0 +1,365 @@
# VulnHub-Stapler
This a beginner level linux box which was on TJnull's OSCP prep list. This box has many rabbit holes in it also I faced some issues running wpscan because this box is very old and has an older version of wordpress so you may need some patience in doing this box so let's just dig in.
## Netdiscover
<img src="https://imgur.com/xEjyduh.png"/>
## NMAP
```
Nmap scan report for 192.168.1.8
Host is up (0.00044s latency).
Not shown: 992 filtered ports
PORT STATE SERVICE VERSION
20/tcp closed ftp-data
21/tcp open ftp vsftpd 2.0.8 or later
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_Can't get directory listing: PASV failed: 550 Permission denied.
| ftp-syst:
| STAT:
| FTP server status:
| Connected to 192.168.1.6
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 1
| vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 81:21:ce:a1:1a:05:b1:69:4f:4d:ed:80:28:e8:99:05 (RSA)
| 256 5b:a5:bb:67:91:1a:51:c2:d3:21:da:c0:ca:f0:db:9e (ECDSA)
|_ 256 6d:01:b7:73:ac:b0:93:6f:fa:b9:89:e6:ae:3c:ab:d3 (ED25519)
53/tcp open domain dnsmasq 2.75
| dns-nsid:
|_ bind.version: dnsmasq-2.75
80/tcp open http PHP cli server 5.5 or later
|_http-title: 404 Not Found
139/tcp open netbios-ssn Samba smbd 4.3.9-Ubuntu (workgroup: WORKGROUP)
666/tcp open doom?
| fingerprint-strings:
| NULL:
| message2.jpgUT
| QWux
| "DL[E
| #;3[
| \xf6
| u([r
| qYQq
| Y_?n2
| 3&M~{
| 9-a)T
| L}AJ
|_ .npy.9
3306/tcp open mysql MySQL 5.7.12-0ubuntu1
| mysql-info:
| Protocol: 10
| Version: 5.7.12-0ubuntu1
| Thread ID: 9
| Capabilities flags: 63487
| Some Capabilities: Speaks41ProtocolOld, Support41Auth, IgnoreSpaceBeforeParenthesis, SupportsTransactions, LongColumnFlag, SupportsLoadDataLocal, IgnoreSigpipes, InteractiveClient, FoundRows, LongPassword, Speaks41ProtocolNew, ODBCClient, DontAllowDatabaseTableColumn, SupportsCompression, ConnectWithDatabase, SupportsMultipleResults, SupportsMultipleStatments, SupportsAuthPlugins
| Status: Autocommit
| Salt: }\x13V\x10\x06 *<,`\x0D\x0C\x0E88 ]7JV
|_ Auth Plugin Name: mysql_native_password
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port666-TCP:V=7.80%I=7%D=12/25%Time=5FE52027%P=x86_64-pc-linux-gnu%r(NU
SF:LL,2D58,"PK\x03\x04\x14\0\x02\0\x08\0d\x80\xc3Hp\xdf\x15\x81\xaa,\0\0\x
SF:152\0\0\x0c\0\x1c\0message2\.jpgUT\t\0\x03\+\x9cQWJ\x9cQWux\x0b\0\x01\x
SF:04\xf5\x01\0\0\x04\x14\0\0\0\xadz\x0bT\x13\xe7\xbe\xefP\x94\x88\x88A@\x
SF:a2\x20\x19\xabUT\xc4T\x11\xa9\x102>\x8a\xd4RDK\x15\x85Jj\xa9\"DL\[E\xa2
SF:\x0c\x19\x140<\xc4\xb4\xb5\xca\xaen\x89\x8a\x8aV\x11\x91W\xc5H\x20\x0f\
SF:xb2\xf7\xb6\x88\n\x82@%\x99d\xb7\xc8#;3\[\r_\xcddr\x87\xbd\xcf9\xf7\xae
SF:u\xeeY\xeb\xdc\xb3oX\xacY\xf92\xf3e\xfe\xdf\xff\xff\xff=2\x9f\xf3\x99\x
SF:d3\x08y}\xb8a\xe3\x06\xc8\xc5\x05\x82>`\xfe\x20\xa7\x05:\xb4y\xaf\xf8\x
SF:a0\xf8\xc0\^\xf1\x97sC\x97\xbd\x0b\xbd\xb7nc\xdc\xa4I\xd0\xc4\+j\xce\[\
SF:x87\xa0\xe5\x1b\xf7\xcc=,\xce\x9a\xbb\xeb\xeb\xdds\xbf\xde\xbd\xeb\x8b\
SF:xf4\xfdis\x0f\xeeM\?\xb0\xf4\x1f\xa3\xcceY\xfb\xbe\x98\x9b\xb6\xfb\xe0\
SF:xdc\]sS\xc5bQ\xfa\xee\xb7\xe7\xbc\x05AoA\x93\xfe9\xd3\x82\x7f\xcc\xe4\x
SF:d5\x1dx\xa2O\x0e\xdd\x994\x9c\xe7\xfe\x871\xb0N\xea\x1c\x80\xd63w\xf1\x
SF:af\xbd&&q\xf9\x97'i\x85fL\x81\xe2\\\xf6\xb9\xba\xcc\x80\xde\x9a\xe1\xe2
SF::\xc3\xc5\xa9\x85`\x08r\x99\xfc\xcf\x13\xa0\x7f{\xb9\xbc\xe5:i\xb2\x1bk
SF:\x8a\xfbT\x0f\xe6\x84\x06/\xe8-\x17W\xd7\xb7&\xb9N\x9e<\xb1\\\.\xb9\xcc
SF:\xe7\xd0\xa4\x19\x93\xbd\xdf\^\xbe\xd6\xcdg\xcb\.\xd6\xbc\xaf\|W\x1c\xf
SF:d\xf6\xe2\x94\xf9\xebj\xdbf~\xfc\x98x'\xf4\xf3\xaf\x8f\xb9O\xf5\xe3\xcc
SF:\x9a\xed\xbf`a\xd0\xa2\xc5KV\x86\xad\n\x7fou\xc4\xfa\xf7\xa37\xc4\|\xb0
SF:\xf1\xc3\x84O\xb6nK\xdc\xbe#\)\xf5\x8b\xdd{\xd2\xf6\xa6g\x1c8\x98u\(\[r
SF:\xf8H~A\xe1qYQq\xc9w\xa7\xbe\?}\xa6\xfc\x0f\?\x9c\xbdTy\xf9\xca\xd5\xaa
SF:k\xd7\x7f\xbcSW\xdf\xd0\xd8\xf4\xd3\xddf\xb5F\xabk\xd7\xff\xe9\xcf\x7fy
SF:\xd2\xd5\xfd\xb4\xa7\xf7Y_\?n2\xff\xf5\xd7\xdf\x86\^\x0c\x8f\x90\x7f\x7
SF:f\xf9\xea\xb5m\x1c\xfc\xfef\"\.\x17\xc8\xf5\?B\xff\xbf\xc6\xc5,\x82\xcb
SF:\[\x93&\xb9NbM\xc4\xe5\xf2V\xf6\xc4\t3&M~{\xb9\x9b\xf7\xda-\xac\]_\xf9\
SF:xcc\[qt\x8a\xef\xbao/\xd6\xb6\xb9\xcf\x0f\xfd\x98\x98\xf9\xf9\xd7\x8f\x
SF:a7\xfa\xbd\xb3\x12_@N\x84\xf6\x8f\xc8\xfe{\x81\x1d\xfb\x1fE\xf6\x1f\x81
SF:\xfd\xef\xb8\xfa\xa1i\xae\.L\xf2\\g@\x08D\xbb\xbfp\xb5\xd4\xf4Ym\x0bI\x
SF:96\x1e\xcb\x879-a\)T\x02\xc8\$\x14k\x08\xae\xfcZ\x90\xe6E\xcb<C\xcap\x8
SF:f\xd0\x8f\x9fu\x01\x8dvT\xf0'\x9b\xe4ST%\x9f5\x95\xab\rSWb\xecN\xfb&\xf
SF:4\xed\xe3v\x13O\xb73A#\xf0,\xd5\xc2\^\xe8\xfc\xc0\xa7\xaf\xab4\xcfC\xcd
SF:\x88\x8e}\xac\x15\xf6~\xc4R\x8e`wT\x96\xa8KT\x1cam\xdb\x99f\xfb\n\xbc\x
SF:bcL}AJ\xe5H\x912\x88\(O\0k\xc9\xa9\x1a\x93\xb8\x84\x8fdN\xbf\x17\xf5\xf
SF:0\.npy\.9\x04\xcf\x14\x1d\x89Rr9\xe4\xd2\xae\x91#\xfbOg\xed\xf6\x15\x04
SF:\xf6~\xf1\]V\xdcBGu\xeb\xaa=\x8e\xef\xa4HU\x1e\x8f\x9f\x9bI\xf4\xb6GTQ\
SF:xf3\xe9\xe5\x8e\x0b\x14L\xb2\xda\x92\x12\xf3\x95\xa2\x1c\xb3\x13\*P\x11
SF:\?\xfb\xf3\xda\xcaDfv\x89`\xa9\xe4k\xc4S\x0e\xd6P0");
MAC Address: 08:00:27:E1:68:35 (Oracle VirtualBox virtual NIC)
Service Info: Host: RED; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_clock-skew: mean: 4h59m57s, deviation: 0s, median: 4h59m57s
|_nbstat: NetBIOS name: RED, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.3.9-Ubuntu)
| Computer name: red
| NetBIOS computer name: RED\x00
| Domain name: \x00
| FQDN: red
|_ System time: 2020-12-25T04:11:44+00:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2020-12-25T04:11:45
|_ start_date: N/A
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 46.74 seconds
```
```
nmap --script dns-nsid 192.168.1.8
Starting Nmap 7.80 ( https://nmap.org ) at 2020-12-25 04:41 PKT
Nmap scan report for 192.168.1.8
Host is up (0.0010s latency).
Not shown: 992 filtered ports
PORT STATE SERVICE
20/tcp closed ftp-data
21/tcp open ftp
22/tcp open ssh
53/tcp open domain
| dns-nsid:
|_ bind.version: dnsmasq-2.75
80/tcp open http
139/tcp open netbios-ssn
666/tcp open doom
3306/tcp open mysql
MAC Address: 08:00:27:E1:68:35 (Oracle VirtualBox virtual NIC)
Nmap done: 1 IP address (1 host up) scanned in 14.48 seconds
```
## FTP (PORT 21)
<img src="https://imgur.com/BV1Y1AU.png"/>
The banner gives us a name "harry" so it can be a username
<img src="https://imgur.com/UCShAQ3.png"/>
```
Elly, make sure you update the payload information. Leave it in your FTP account once your are done, John.
```
Again this note has some usernames
## SMB (PORT 139)
To enumarate smb we run `enum4linux` . I am using an updated version of it which is called enum4linux-ng.
<img src="https://imgur.com/Vy71cfA.png"/>
<img src="https://imgur.com/Vy71cfA.png"/>
Here it did found some user names
### Hydra
Now using hydra we will try to crack the credentials for ftp by using the same wordlist of user we found for passwords and users
<img src="https://imgur.com/vyNYlrc.png"/>
Again if we use this wordlist for ssh we will get the same result and will be able to login into the box
<img src="https://imgur.com/7sE8lwr.png"/>
<img src="https://imgur.com/QrwM5RB.png"/>
On running ss -tupln to see which ports are open on the box we see port `12380`
Also there are some directories on webserver
<img src="https://imgur.com/4xlTbKB.png"/>
But going on to port 80 we don't find any directories and ruuning gobuster is useless because it doesn't show anything interesting
## PORT 80
<img src="https://imgur.com/Oa5VivL.png"/>
<img src="https://imgur.com/d2ULBmN.png"/>
## PORT 12380
<img src="https://imgur.com/ybnycg8.png"/>
Running nikto on this port it returned as that these directories do exists the ones we found in `/var/www/https`
<img src="https://imgur.com/ftrTgiq.png"/>
<img src="https://imgur.com/YsE7WS1.png"/>
## Wpscan
On running `wpscan` along with port 12380 on directory `blogblog` which is a wordpress site it gave me erros
<img src="https://imgur.com/VI9pcc7.png"/>
So added a parameter `--disable-tls-checks` and it worked fine
<img src="https://imgur.com/Sw8C8LR.png"/>
<img src="https://imgur.com/YwDbJVA.png"/>
Now we know the registered users on wordpress , let's enumerate more to get plugins
<img src="https://imgur.com/IgdmMJl.png"/>
<img src="https://imgur.com/7ALUtkZ.png"/>
It didn't returned me any plugins so now add a paramter `--plugins-detection aggressive` there are only three modes for detecting plugins passive,mixed and agressive
<img src="https://imgur.com/qmXBpl1.png"/>
<img src="https://imgur.com/PgDPxzF.png"/>
<img src="https://imgur.com/kfjMT0Q.png"/>
Using this technique I was able to identify 4 plugins
```
two-factor
shortcode-ui
akismet
advanced-video-embed-embed-videos-or-playlists
```
Searching for an exploit for one these plugins I found something on exploit-db
<img src="https://imgur.com/5bIC8uJ.png"/>
<img src="https://imgur.com/t7NCM5M.png"/>
So here only LFI can be useful.
<img src="https://imgur.com/VW3kRij.png"/>
Edit the exploit by putting the proper url where `blogblog` is
<img src="https://imgur.com/xdEHmSr.png"/>
And it will throw this error
<img src="https://imgur.com/jKPN1fG.png"/>
To resolve this import ssl and a line `ssl._create_default_https_context = ssl._create_unverified_context`
<img src="https://imgur.com/Gv28vRN.png"/>
On running this exploit it will create a jpeg file with random string
<img src="https://imgur.com/h95s0Ss.png"/>
When we'll download this it will be php script in which the contents of `wp-config.php` are stored but we don't need to do this as we have our foothold on to the box and we can just search for that file
<img src="https://imgur.com/javj7NZ.png"/>
<img src="https://imgur.com/7IwSAro.png"/>
And we will find the credentials for mysql database since port 3306 is running we can connect to it
<img src="https://imgur.com/KnkGHHR.png"/>
<img src="https://imgur.com/Vg2iPsD.png"/>
<img src="https://imgur.com/qK9XQIy.png"/>
<img src="https://imgur.com/kaGpxTd.png"/>
We get a bunch of usernames and passwords but we need to crack these hashes so lets store them in a file and to crack them I will be using johntheripper but you can do it with hashcat for that you need to specify with what kind of hash are we dealing with so I went up to hashcat examples and found this is a wordpress MD5 hash
<img src="https://imgur.com/EdqNJ1V.png"/>
<img src="https://imgur.com/WQ9wRjR.png"/>
On cracking those hashes
```
john:$P$B7889EMq/erHIuZapMB8GEizebcIy9. :incorrect
elly:$P$BlumbJRRBit7y50Y17.UPJ/xEgv4my0 :ylee
peter:$P$BTzoYuAFiBA5ixX2njL0XcLzu67sGD0 :washere
barry:$P$BIp1ND3G70AnRAkRY41vpVypsTfZhk0 :passphrase
heather:$P$Bwd0VpK8hX4aN.rZ14WDdhEIGeJgf10 :football
garry:$P$BzjfKAHd6N4cHKiugLX.4aLes8PxnZ1 :monkey
harry:$P$BqV.SQ6OtKhVV7k7h1wqESkMh41buR0 :cookie
scott:$P$BFmSPiDX1fChKRsytp1yp8Jo7RdHeI1 :coolgirl
kathy:$P$BZlxAMnC6ON.PYaurLGrhfBi6TjtcA0 :thumb
tim:$P$BXDR7dLIJczwfuExJdpQqRsNf.9ueN0 :damachine
zoe:$P$B.gMMKRP11QOdT5m1s9mstAUEDjagu1 :0520
dave:$P$Bl7/V9Lqvu37jJT.6t4KWmY.v907Hy. : -
simon:$P$BLxdiNNRP008kOQ.jE44CjSK/7tEcz0 : -
abby:$P$ByZg5mTBpKiLZ5KxhhRe/uqR.48ofs. : -
vicki:$P$B85lqQ1Wwl2SqcPOuKDvxaSwodTY131 : -
pam:$P$BuLagypsIJdEuzMkf20XyS5bRm00dQ0 : -
```
<img src="https://imgur.com/XLnbkqe.png"/>
<img src="https://imgur.com/lJNV13K.png"/>
On logging in with username `john` we can see that we are administrator. Now we cannot upload a php file directly but we can upload it through a plugin upload
<img src="https://imgur.com/tvt0EJ7.png"/>
<img src="https://imgur.com/A2RBaXR.png"/>
<img src="https://imgur.com/TS7lfzb.png"/>
But we are in the same situation and this was again a rabbit hold that we got into so only thing now we can do is look for general information about the linux os
<img src="https://imgur.com/tkRLApC.png"/>
So, the os is ubuntu 16.04 and kernel version is 4.4.0-21
<img src="https://imgur.com/O2HFAwr.png"/>
But by the result `i686 i686 i686` it says that it is 32 bit architecture.
<img src="https://imgur.com/rBe0CnJ.png"/>
So this may be the exploit that will work
On reading the text file that is found with searchsploit it would tell to go to site where zip file is uploaded for the exploit.
<img src="https://imgur.com/nXUtiL1.png"/>
And according to the read we have to run `compile.sh` and `doubleput`.
<img src="https://imgur.com/o3JitMv.png"/>
Transfer exploit.tar to the target box and extract .tar
<img src="https://imgur.com/yEnp5QS.png"/>
Now compile the doubleput.c and ran compile.sh and doubleput
<img src="https://imgur.com/kai9kC8.png"/>